fix(cyclonedx): resolve missing vulnerabilities in folder-scan output

[isasmendiagus]

Summary

• Fixed append_vulnerabilities in cyclonedx.py reading the wrong key (purls) from the vulnerability API response — the correct key is components (per the ComponentsVulnerabilityResponse protobuf definition)
• This caused the vulnerabilities array in CycloneDX output to always be empty when using the fs (folder-scan) command
• Bumped version to 1.51.1

Test plan

• Verified vulnerability API response structure returns data under components key
• Confirmed append_vulnerabilities correctly parses and appends 7 CVEs for OpenSSL
• All 294 unit tests pass

Summary by CodeRabbit

• Bug Fixes

  • Vulnerabilities now appear correctly in CycloneDX output when using folder-scan (fs) mode.
  • CycloneDX export no longer omits vulnerabilities from stdout when using the --output option.

• Chores

  • Bumped package to v1.51.1 and added a release entry to the changelog (1.51.1).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 26c8b324-1e1f-4d92-aa34-0bcb978b9587

📥 Commits

Reviewing files that changed from the base of the PR and between 58a5eb2 and a8c955f.

📒 Files selected for processing (3)

• CHANGELOG.md
• src/scanoss/cyclonedx.py
• src/scanoss/scanners/scanner_hfh.py

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (1)

• src/scanoss/cyclonedx.py

---

📝 Walkthrough

Walkthrough

Bumps package version to 1.51.1, fixes CycloneDX vulnerability extraction to read items from vulnerabilities_data['components'] instead of ['purls'], and adds a print_output parameter to CycloneDX serialization to allow callers to suppress writing/printing.

Changes

Cohort / File(s)	Summary
Release & Version CHANGELOG.md, src/scanoss/__init__.py	Added 1.51.1 changelog entry and bumped __version__ to 1.51.1.
CycloneDX core src/scanoss/cyclonedx.py	CycloneDx.produce_from_json gains print_output: bool = True to conditionally skip writing/printing; append_vulnerabilities now reads vulnerability items from vulnerabilities_data['components'] (was ['purls']) and preserves prior early-return behavior.
Scanner caller update src/scanoss/scanners/scanner_hfh.py	Calls cdx.produce_from_json(..., print_output=False) to suppress duplicate CycloneDX printing when generating output for HFH scanner.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add vulnerabilities into cdx output when using folder hashing command #133: Modifies append_vulnerabilities logic for CycloneDX vulnerability integration (same area of change).
• Added handling for empty results files #145: Adjusts produce_from_json behavior/return structure in cyclonedx.py (related signature/serialization changes).
• [SP-2870] fix: cyclonedx format output not writing to file #130: Changes CycloneDx usage and scanner integration (related to scanner_hfh call/site).

Suggested labels

bug

Suggested reviewers

• eeisegn
• ortizjeronimo

Poem

🐰 I hopped through code with quick small hops,
Found components hiding where purls once stopped,
I nudged a flag to quiet the stream,
Now CycloneDX behaves as we dreamed,
Hooray — a tidy, safer scan it propped. 🌱

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main fix: resolving missing vulnerabilities in CycloneDX folder-scan output, which aligns with the core change of correcting the key used in append_vulnerabilities from 'purls' to 'components'.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/SP-4222/cyclonedx-missing-vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 110
• Detected files undeclared: 0
• Detected files declared: 110
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Line 10: The release heading "[1.51.1]" is missing its compare link reference;
add a reference definition for [1.51.1] at the bottom of CHANGELOG.md that
points to the compare URL for the v1.51.0...v1.51.1 range (same format used by
other entries), so the heading links correctly to the diff between those tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fadc8285-a291-4478-ba3b-cc35df4407f7

📥 Commits

Reviewing files that changed from the base of the PR and between 0af5c2d and 1c51d03.

📒 Files selected for processing (3)

• CHANGELOG.md
• src/scanoss/__init__.py
• src/scanoss/cyclonedx.py

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 110
• Detected files undeclared: 0
• Detected files declared: 110
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 110
• Detected files undeclared: 0
• Detected files declared: 110
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary